Google Git
Sign in
android / platform / system / sepolicy / refs/heads/pie-gsi^! / .
commitef610191f7cd2158a6368b4a24916ea8d6cc1d96[log] [tgz]
authorYongqin Liu <yongqin.liu@linaro.org>Mon Jul 02 18:34:18 2018 +0800
committerAlistair Delva <adelva@google.com>Wed Nov 18 12:53:02 2020 -0800
treeed5a06c3cd042801378eaff60b16e130b91882f1
parent3b80f3a891135529da7e4a16bcd8954899e1e576 [diff]
public/netd.te: allow netd to operate icmp_socket that passed to it

This should be supplement for the change here:
https://android-review.googlesource.com/c/platform/system/sepolicy/+/708638

When test the cts libcore.libcore.io.OsTest#test_socketPing test case, it will fail
with avc denial message like following:

[ 1906.617027] type=1400 audit(1530527518.195:10496): avc: denied { read write } for comm="netd" path="socket:[32066]" dev="sockfs" ino=32066 scontext=u:r:netd:s0 tcontext=u:r:untrusted_app:s0:c512,c768 tclass=icmp_socket permissive=1
[ 1906.617189] type=1400 audit(1530527518.195:10496): avc: denied { read write } for comm="netd" path="socket:[32066]" dev="sockfs" ino=32066 scontext=u:r:netd:s0 tcontext=u:r:untrusted_app:s0:c512,c768 tclass=icmp_socket permissive=1
[ 1906.617206] type=1400 audit(1530527518.195:10497): avc: denied { getopt } for comm="netd" lport=2 scontext=u:r:netd:s0 tcontext=u:r:untrusted_app:s0:c512,c768 tclass=icmp_socket permissive=1
[ 1906.617313] type=1400 audit(1530527518.195:10497): avc: denied { getopt } for comm="netd" lport=2 scontext=u:r:netd:s0 tcontext=u:r:untrusted_app:s0:c512,c768 tclass=icmp_socket permissive=1
[ 1906.617330] type=1400 audit(1530527518.195:10498): avc: denied { setopt } for comm="netd" lport=2 scontext=u:r:netd:s0 tcontext=u:r:untrusted_app:s0:c512,c768 tclass=icmp_socket permissive=1
[ 1907.832425] type=1400 audit(1530527518.195:10498): avc: denied { setopt } for comm="netd" lport=2 scontext=u:r:netd:s0 tcontext=u:r:untrusted_app:s0:c512,c768 tclass=icmp_socket permissive=1

Test: run cts -m CtsLibcoreTestCases -t libcore.libcore.io.OsTest#test_socketPing

Change-Id: If41cb804292834b8994333f170d1f7f837bcd7df
Signed-off-by: Yongqin Liu <yongqin.liu@linaro.org>
(cherry picked from commit 8a8d4ef5329f700f150db9bbfa2940e16af796c2)

diff --git a/prebuilts/api/28.0/public/netd.te b/prebuilts/api/28.0/public/netd.te
index a550b25..c052756 100644
--- a/prebuilts/api/28.0/public/netd.te
+++ b/prebuilts/api/28.0/public/netd.te

@@ -94,6 +94,7 @@
 
 # Allow netd to operate on sockets that are passed to it.
 allow netd netdomain:{
+  icmp_socket
   tcp_socket
   udp_socket
   rawip_socket

diff --git a/public/netd.te b/public/netd.te
index a550b25..c052756 100644
--- a/public/netd.te
+++ b/public/netd.te

@@ -94,6 +94,7 @@
 
 # Allow netd to operate on sockets that are passed to it.
 allow netd netdomain:{
+  icmp_socket
   tcp_socket
   udp_socket
   rawip_socket